summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch61
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch96
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch28
-rwxr-xr-xmeta/recipes-connectivity/openssh/openssh/run-ptest16
-rw-r--r--meta/recipes-connectivity/openssh/openssh/ssh_config14
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.service18
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.socket1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_check_keys4
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_config17
-rw-r--r--meta/recipes-connectivity/openssh/openssh_9.7p1.bb (renamed from meta/recipes-connectivity/openssh/openssh_8.4p1.bb)130
10 files changed, 285 insertions, 100 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
new file mode 100644
index 0000000000..8763f30f4b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -0,0 +1,61 @@
1From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
2From: Mikko Rapeli <mikko.rapeli@linaro.org>
3Date: Mon, 11 Sep 2023 09:55:21 +0100
4Subject: [PATCH] regress/banner.sh: log input and output files on error
5
6Some test environments like yocto with qemu are seeing these
7tests failing. There may be additional error messages in the
8stderr of ssh cloent command. busybox cmp shows this error when
9first input file has less new line characters then second
10input file:
11
12cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
13
14Logging the full banner.out will show what other error messages
15are captured in addition of the expected banner.
16
17Full log of a failing banner test runs is:
18
19run test banner.sh ...
20test banner: missing banner file
21test banner: size 0
22cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
23banner size 0 mismatch
24test banner: size 10
25test banner: size 100
26cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
27banner size 100 mismatch
28test banner: size 1000
29test banner: size 10000
30test banner: size 100000
31test banner: suppress banner (-q)
32FAIL: banner
33return value: 1
34
35See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
36
37Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38
39Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
40---
41 regress/banner.sh | 4 +++-
42 1 file changed, 3 insertions(+), 1 deletion(-)
43
44diff --git a/regress/banner.sh b/regress/banner.sh
45index a84feb5a..de84957a 100644
46--- a/regress/banner.sh
47+++ b/regress/banner.sh
48@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
49 verbose "test $tid: size $s"
50 ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
51 cmp $OBJ/banner.in $OBJ/banner.out ) || \
52- fail "banner size $s mismatch"
53+ ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
54+ verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
55+ fail "banner size $s mismatch" )
56 done
57
58 trace "test suppress banner (-q)"
59--
602.34.1
61
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
new file mode 100644
index 0000000000..f079d936a4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
@@ -0,0 +1,96 @@
1From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001
2From: Matt Jolly <Matt.Jolly@footclan.ninja>
3Date: Thu, 2 Feb 2023 21:05:40 +1100
4Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
5
6This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
7patch based on Jakub Jelen's <jjelen@redhat.com> original patch
8
9Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
10
11Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
12---
13 configure.ac | 24 ++++++++++++++++++++++++
14 sshd.c | 13 +++++++++++++
15 2 files changed, 37 insertions(+)
16
17diff --git a/configure.ac b/configure.ac
18index 82e8bb7..d1145d3 100644
19--- a/configure.ac
20+++ b/configure.ac
21@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS])
23 AC_SUBST([CHANNELLIBS])
24
25+# Check whether user wants systemd support
26+SYSTEMD_MSG="no"
27+AC_ARG_WITH(systemd,
28+ [ --with-systemd Enable systemd support],
29+ [ if test "x$withval" != "xno" ; then
30+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
31+ if test "$PKGCONFIG" != "no"; then
32+ AC_MSG_CHECKING([for libsystemd])
33+ if $PKGCONFIG --exists libsystemd; then
34+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
35+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
36+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
37+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
38+ AC_MSG_RESULT([yes])
39+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
40+ SYSTEMD_MSG="yes"
41+ else
42+ AC_MSG_RESULT([no])
43+ fi
44+ fi
45+ fi ]
46+)
47+
48 # Looking for programs, paths and files
49
50 PRIVSEP_PATH=/var/empty
51@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG"
52 echo " Solaris process contract support: $SPC_MSG"
53 echo " Solaris project support: $SP_MSG"
54 echo " Solaris privilege support: $SPP_MSG"
55+echo " systemd support: $SYSTEMD_MSG"
56 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
57 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
58 echo " BSD Auth support: $BSD_AUTH_MSG"
59diff --git a/sshd.c b/sshd.c
60index b4f2b97..6820a41 100644
61--- a/sshd.c
62+++ b/sshd.c
63@@ -88,6 +88,10 @@
64 #include <prot.h>
65 #endif
66
67+#ifdef HAVE_SYSTEMD
68+#include <systemd/sd-daemon.h>
69+#endif
70+
71 #include "xmalloc.h"
72 #include "ssh.h"
73 #include "ssh2.h"
74@@ -308,6 +312,10 @@ static void
75 sighup_restart(void)
76 {
77 logit("Received SIGHUP; restarting.");
78+#ifdef HAVE_SYSTEMD
79+ /* Signal systemd that we are reloading */
80+ sd_notify(0, "RELOADING=1");
81+#endif
82 if (options.pid_file != NULL)
83 unlink(options.pid_file);
84 platform_pre_restart();
85@@ -2093,6 +2101,11 @@ main(int ac, char **av)
86 }
87 }
88
89+#ifdef HAVE_SYSTEMD
90+ /* Signal systemd that we are ready to accept connections */
91+ sd_notify(0, "READY=1");
92+#endif
93+
94 /* Accept a connection and return in a forked child */
95 server_accept_loop(&sock_in, &sock_out,
96 &newsock, config_s);
diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
deleted file mode 100644
index b88bc18f12..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch
+++ /dev/null
@@ -1,28 +0,0 @@
1From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@dtucker.net>
3Date: Fri, 20 Nov 2020 13:37:54 +1100
4Subject: [PATCH] Add new pselect6_time64 syscall on ARM.
5
6This is apparently needed on armhfp/armv7hl. bz#3232, patch from
7jjelen at redhat.com.
8---
9 sandbox-seccomp-filter.c | 3 +++
10 1 file changed, 3 insertions(+)
11
12Upstream-Status: Backport
13[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33]
14
15diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
16index e0768c063..5065ae7ef 100644
17--- a/sandbox-seccomp-filter.c
18+++ b/sandbox-seccomp-filter.c
19@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
20 #ifdef __NR_pselect6
21 SC_ALLOW(__NR_pselect6),
22 #endif
23+#ifdef __NR_pselect6_time64
24+ SC_ALLOW(__NR_pselect6_time64),
25+#endif
26 #ifdef __NR_read
27 SC_ALLOW(__NR_read),
28 #endif
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index ae03e929b2..b2244d725a 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -4,8 +4,22 @@ export TEST_SHELL=sh
4export SKIP_UNIT=1 4export SKIP_UNIT=1
5 5
6cd regress 6cd regress
7
8# copied from openssh-portable/.github/run_test.sh
9output_failed_logs() {
10 for i in failed*.log; do
11 if [ -f "$i" ]; then
12 echo -------------------------------------------------------------------------
13 echo LOGFILE $i
14 cat $i
15 echo -------------------------------------------------------------------------
16 fi
17 done
18}
19trap output_failed_logs 0
20
7sed -i "/\t\tagent-ptrace /d" Makefile 21sed -i "/\t\tagent-ptrace /d" Makefile
8make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ 22make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
9 | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' 23 | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
10 24
11SSHAGENT=`which ssh-agent` 25SSHAGENT=`which ssh-agent`
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803e..cb2774a163 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ 1# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -17,11 +17,11 @@
17# list of available options, their meanings and defaults, please see the 17# list of available options, their meanings and defaults, please see the
18# ssh_config(5) man page. 18# ssh_config(5) man page.
19 19
20Host * 20Include /etc/ssh/ssh_config.d/*.conf
21 ForwardAgent yes 21
22 ForwardX11 yes 22# Host *
23# RhostsRSAAuthentication no 23# ForwardAgent no
24# RSAAuthentication yes 24# ForwardX11 no
25# PasswordAuthentication yes 25# PasswordAuthentication yes
26# HostbasedAuthentication no 26# HostbasedAuthentication no
27# GSSAPIAuthentication no 27# GSSAPIAuthentication no
@@ -36,7 +36,6 @@ Host *
36# IdentityFile ~/.ssh/id_ecdsa 36# IdentityFile ~/.ssh/id_ecdsa
37# IdentityFile ~/.ssh/id_ed25519 37# IdentityFile ~/.ssh/id_ed25519
38# Port 22 38# Port 22
39# Protocol 2
40# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 39# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
41# MACs hmac-md5,hmac-sha1,umac-64@openssh.com 40# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
42# EscapeChar ~ 41# EscapeChar ~
@@ -46,3 +45,4 @@ Host *
46# VisualHostKey no 45# VisualHostKey no
47# ProxyCommand ssh -q -W %h:%p gateway.example.com 46# ProxyCommand ssh -q -W %h:%p gateway.example.com
48# RekeyLimit 1G 1h 47# RekeyLimit 1G 1h
48# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
new file mode 100644
index 0000000000..3e570ab1e5
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -0,0 +1,18 @@
1[Unit]
2Description=OpenSSH server daemon
3Wants=sshdgenkeys.service
4After=sshdgenkeys.service
5After=nss-user-lookup.target
6
7[Service]
8Environment="SSHD_OPTS="
9EnvironmentFile=-/etc/default/ssh
10ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
11ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
12ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
13KillMode=process
14Restart=on-failure
15RestartSec=42s
16
17[Install]
18WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
1[Unit] 1[Unit]
2Conflicts=sshd.service 2Conflicts=sshd.service
3Wants=sshdgenkeys.service 3Wants=sshdgenkeys.service
4After=nss-user-lookup.target
4 5
5[Socket] 6[Socket]
6ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 7ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7153..606d1894b5 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -6,6 +6,7 @@ generate_key() {
6 local DIR="$(dirname "$FILE")" 6 local DIR="$(dirname "$FILE")"
7 7
8 mkdir -p "$DIR" 8 mkdir -p "$DIR"
9 rm -f ${FILE}.tmp
9 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE 10 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
10 11
11 # Atomically rename file public key 12 # Atomically rename file public key
@@ -56,8 +57,7 @@ while true ; do
56 esac 57 esac
57done 58done
58 59
59HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") 60HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
60[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
61 61
62for key in ${HOST_KEYS} ; do 62for key in ${HOST_KEYS} ; do
63 [ -f $key ] && continue 63 [ -f $key ] && continue
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570..e9eaf93157 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ 1# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -10,6 +10,8 @@
10# possible, but leave them commented. Uncommented options override the 10# possible, but leave them commented. Uncommented options override the
11# default value. 11# default value.
12 12
13Include /etc/ssh/sshd_config.d/*.conf
14
13#Port 22 15#Port 22
14#AddressFamily any 16#AddressFamily any
15#ListenAddress 0.0.0.0 17#ListenAddress 0.0.0.0
@@ -57,9 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
57#PasswordAuthentication yes 59#PasswordAuthentication yes
58#PermitEmptyPasswords no 60#PermitEmptyPasswords no
59 61
60# Change to yes to enable challenge-response passwords (beware issues with 62# Change to yes to enable keyboard-interactive authentication (beware issues
61# some PAM modules and threads) 63# with some PAM modules and threads)
62ChallengeResponseAuthentication no 64KbdInteractiveAuthentication no
63 65
64# Kerberos options 66# Kerberos options
65#KerberosAuthentication no 67#KerberosAuthentication no
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no
73 75
74# Set this to 'yes' to enable PAM authentication, account processing, 76# Set this to 'yes' to enable PAM authentication, account processing,
75# and session processing. If this is enabled, PAM authentication will 77# and session processing. If this is enabled, PAM authentication will
76# be allowed through the ChallengeResponseAuthentication and 78# be allowed through the KbdInteractiveAuthentication and
77# PasswordAuthentication. Depending on your PAM configuration, 79# PasswordAuthentication. Depending on your PAM configuration,
78# PAM authentication via ChallengeResponseAuthentication may bypass 80# PAM authentication via KbdInteractiveAuthentication may bypass
79# the setting of "PermitRootLogin without-password". 81# the setting of "PermitRootLogin without-password".
80# If you just want the PAM account and session checks to run without 82# If you just want the PAM account and session checks to run without
81# PAM authentication, then enable this but set PasswordAuthentication 83# PAM authentication, then enable this but set PasswordAuthentication
82# and ChallengeResponseAuthentication to 'no'. 84# and KbdInteractiveAuthentication to 'no'.
83#UsePAM no 85#UsePAM no
84 86
85#AllowAgentForwarding yes 87#AllowAgentForwarding yes
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no
92#PrintMotd yes 94#PrintMotd yes
93#PrintLastLog yes 95#PrintLastLog yes
94#TCPKeepAlive yes 96#TCPKeepAlive yes
95#UseLogin no
96#PermitUserEnvironment no 97#PermitUserEnvironment no
97Compression no 98Compression no
98ClientAliveInterval 15 99ClientAliveInterval 15
diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
index 128e2e318a..36ffa49398 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
@@ -5,8 +5,8 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
5and for executing commands on a remote machine." 5and for executing commands on a remote machine."
6HOMEPAGE = "http://www.openssh.com/" 6HOMEPAGE = "http://www.openssh.com/"
7SECTION = "console/network" 7SECTION = "console/network"
8LICENSE = "BSD & ISC & MIT" 8LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394"
10 10
11DEPENDS = "zlib openssl virtual/crypt" 11DEPENDS = "zlib openssl virtual/crypt"
12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 12DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
16 file://ssh_config \ 16 file://ssh_config \
17 file://init \ 17 file://init \
18 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 18 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
19 file://sshd.service \
19 file://sshd.socket \ 20 file://sshd.socket \
20 file://sshd@.service \ 21 file://sshd@.service \
21 file://sshdgenkeys.service \ 22 file://sshdgenkeys.service \
@@ -24,37 +25,46 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 25 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25 file://sshd_check_keys \ 26 file://sshd_check_keys \
26 file://add-test-support-for-busybox.patch \ 27 file://add-test-support-for-busybox.patch \
27 file://0f90440ca70abab947acbd77795e9f130967956c.patch \ 28 file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
29 file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \
28 " 30 "
29SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24" 31SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"
32
33CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
30 34
31# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 35# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
32# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded 36# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
33CVE_CHECK_WHITELIST += "CVE-2014-9278" 37CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
38Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
39
40CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
34 41
35PAM_SRC_URI = "file://sshd" 42PAM_SRC_URI = "file://sshd"
36 43
37inherit manpages useradd update-rc.d update-alternatives systemd 44inherit manpages useradd update-rc.d update-alternatives systemd
38 45
39USERADD_PACKAGES = "${PN}-sshd" 46USERADD_PACKAGES = "${PN}-sshd"
40USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd" 47USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
41INITSCRIPT_PACKAGES = "${PN}-sshd" 48INITSCRIPT_PACKAGES = "${PN}-sshd"
42INITSCRIPT_NAME_${PN}-sshd = "sshd" 49INITSCRIPT_NAME:${PN}-sshd = "sshd"
43INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9" 50INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
44 51
45SYSTEMD_PACKAGES = "${PN}-sshd" 52SYSTEMD_PACKAGES = "${PN}-sshd"
46SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket" 53SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
47 54
48inherit autotools-brokensep ptest 55inherit autotools-brokensep ptest pkgconfig
56DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
49 57
50PACKAGECONFIG ??= "rng-tools" 58# systemd-sshd-socket-mode means installing sshd.socket
59# and systemd-sshd-service-mode corresponding to sshd.service
60PACKAGECONFIG ??= "systemd-sshd-socket-mode"
61PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
51PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" 62PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
52PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" 63PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
53PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" 64PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
54PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" 65PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
55 66PACKAGECONFIG[systemd-sshd-socket-mode] = ""
56# Add RRECOMMENDS to rng-tools for sshd package 67PACKAGECONFIG[systemd-sshd-service-mode] = ""
57PACKAGECONFIG[rng-tools] = ""
58 68
59EXTRA_AUTORECONF += "--exclude=aclocal" 69EXTRA_AUTORECONF += "--exclude=aclocal"
60 70
@@ -66,10 +76,18 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
66 --sysconfdir=${sysconfdir}/ssh \ 76 --sysconfdir=${sysconfdir}/ssh \
67 --with-xauth=${bindir}/xauth \ 77 --with-xauth=${bindir}/xauth \
68 --disable-strip \ 78 --disable-strip \
79 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
69 " 80 "
70 81
71# musl doesn't implement wtmp/utmp and logwtmp 82# musl doesn't implement wtmp/utmp and logwtmp
72EXTRA_OECONF_append_libc-musl = " --disable-wtmp --disable-lastlog" 83EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
84
85# Work around ICE on mips/mips64 starting in 9.6p1
86EXTRA_OECONF:append:mips = " --without-hardening"
87EXTRA_OECONF:append:mips64 = " --without-hardening"
88
89# Work around ICE on powerpc64le starting in 9.6p1
90EXTRA_OECONF:append:powerpc64le = " --without-hardening"
73 91
74# Since we do not depend on libbsd, we do not want configure to use it 92# Since we do not depend on libbsd, we do not want configure to use it
75# just because it finds libutil.h. But, specifying --disable-libutil 93# just because it finds libutil.h. But, specifying --disable-libutil
@@ -82,20 +100,17 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
82# We don't want to depend on libblockfile 100# We don't want to depend on libblockfile
83CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" 101CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
84 102
85do_configure_prepend () { 103do_configure:prepend () {
86 export LD="${CC}" 104 export LD="${CC}"
87 install -m 0644 ${WORKDIR}/sshd_config ${B}/ 105 install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
88 install -m 0644 ${WORKDIR}/ssh_config ${B}/ 106 install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
89} 107}
90 108
91do_compile_ptest() { 109do_compile_ptest() {
92 # skip regress/unittests/ binaries: this will silently skip 110 oe_runmake regress-binaries regress-unit-binaries
93 # unittests in run-ptests which is good because they are so slow.
94 oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
95 regress/check-perm regress/mkdtemp
96} 111}
97 112
98do_install_append () { 113do_install:append () {
99 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then 114 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
100 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd 115 install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
101 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config 116 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
@@ -121,15 +136,25 @@ do_install_append () {
121 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly 136 echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
122 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly 137 echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
123 138
124 install -d ${D}${systemd_unitdir}/system 139 install -d ${D}${systemd_system_unitdir}
125 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system 140 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
126 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system 141 install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
127 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system 142 install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
143 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
144 -e 's,@SBINDIR@,${sbindir},g' \
145 -e 's,@BINDIR@,${bindir},g' \
146 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
147 ${D}${systemd_system_unitdir}/sshd.socket
148 fi
149 if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
150 install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir}
151 fi
152 install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
128 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 153 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
129 -e 's,@SBINDIR@,${sbindir},g' \ 154 -e 's,@SBINDIR@,${sbindir},g' \
130 -e 's,@BINDIR@,${bindir},g' \ 155 -e 's,@BINDIR@,${bindir},g' \
131 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 156 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
132 ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service 157 ${D}${systemd_system_unitdir}/*.service
133 158
134 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ 159 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
135 ${D}${sysconfdir}/init.d/sshd 160 ${D}${sysconfdir}/init.d/sshd
@@ -140,41 +165,38 @@ do_install_append () {
140do_install_ptest () { 165do_install_ptest () {
141 sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh 166 sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
142 cp -r regress ${D}${PTEST_PATH} 167 cp -r regress ${D}${PTEST_PATH}
168 cp config.h ${D}${PTEST_PATH}
143} 169}
144 170
145ALLOW_EMPTY_${PN} = "1" 171ALLOW_EMPTY:${PN} = "1"
146 172
147PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server" 173PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
148FILES_${PN}-scp = "${bindir}/scp.${BPN}" 174FILES:${PN}-scp = "${bindir}/scp.${BPN}"
149FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 175FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
150FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" 176FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
151FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 177FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
152FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" 178FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
153FILES_${PN}-sftp = "${bindir}/sftp" 179FILES:${PN}-sftp = "${bindir}/sftp"
154FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" 180FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
155FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 181FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
156FILES_${PN}-keygen = "${bindir}/ssh-keygen" 182FILES:${PN}-keygen = "${bindir}/ssh-keygen"
157 183
158RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" 184RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
159RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" 185RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
160RRECOMMENDS_${PN}-sshd_append_class-target = "\
161 ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
162"
163
164# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies 186# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
165RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" 187RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
166 188
167RPROVIDES_${PN}-ssh = "ssh" 189RPROVIDES:${PN}-ssh = "ssh"
168RPROVIDES_${PN}-sshd = "sshd" 190RPROVIDES:${PN}-sshd = "sshd"
169 191
170RCONFLICTS_${PN} = "dropbear" 192RCONFLICTS:${PN} = "dropbear"
171RCONFLICTS_${PN}-sshd = "dropbear" 193RCONFLICTS:${PN}-sshd = "dropbear"
172 194
173CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config" 195CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
174CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config" 196CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
175 197
176ALTERNATIVE_PRIORITY = "90" 198ALTERNATIVE_PRIORITY = "90"
177ALTERNATIVE_${PN}-scp = "scp" 199ALTERNATIVE:${PN}-scp = "scp"
178ALTERNATIVE_${PN}-ssh = "ssh" 200ALTERNATIVE:${PN}-ssh = "ssh"
179 201
180BBCLASSEXTEND += "nativesdk" 202BBCLASSEXTEND += "nativesdk"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-03 08:48:43 +0000